问题
In the firebase documentation https://firebase.google.com/docs/firestore/manage-data/enable-offline there is a paragraph about offline persistence.
For the web, offline persistence is disabled by default. To enable persistence, call the enablePersistence method. Cloud Firestore's cache isn't automatically cleared between sessions. Consequently, if your web app handles sensitive information, make sure to ask the user if they're on a trusted device before enabling persistence.
Why is it in general not recommended to enable it on not trusted devices?
How people can potentially exploit it?
And if there is a way to prevent it? (besides not enabling on untrusted devices)
P.S: Good articles for evening reading are much appreciated :)
回答1:
Why is it in general not recommended to enable it on not trusted devices?
Because the user's data that they read and wrote during the session is sitting right there in that file created for the local cache.
How people can potentially exploit it?
By gaining access to that file. The easiest thing to be to use the same (public) computer that they used without it first being wiped clean, but that's not the only way to read a file on a computer that others have access to.
And if there is a way to prevent it? (besides not enabling on untrusted devices)
Somehow arrange for that file to be immediately removed as soon as the user has stopped interacting with the web site that created it.
来源:https://stackoverflow.com/questions/57999550/why-enabling-offline-support-for-all-devices-isnt-recommended